30-Day Status Update On LibreSSL
Unfortunately the summary gets several important facts wrong, including the status of support from the linux fooundation -- last status is ongoing discussions, not total ignore as the post summary says. And you can see what Bob actually said in the video jason Tubnor uploaded to youtube The real Bob Beck on OpenSSL talk
OpenSSL Cleanup: Hundreds of Commits In a Week
Take a look at the actual commits. Quite a bit of 'KNF', but far from all of it. There's a lot of bugs removal that will benefit everyone.
OpenSSL Cleanup: Hundreds of Commits In a Week
The work by the OpenBSD developers happens in the OpenBSD tree. Whether or not the OpenSSL project chooses to merge back the changes into their tree is yet to be seen. Given the activity level in the OpenSSL tree lately I find it more likely that the primary source of a maintained open source SSL library shifts to the OpenBSD project. To the extent that portability goo is needed it will likely be introduced after the developers consider the code base stable enough.
OpenSSL Cleanup: Hundreds of Commits In a Week
This is actually the OpenBSD developers diving in because the upstream (OpenSSL) was unresponsive. If you look at the actual commits, you will see removal of dead code such as VMS-specific hacks, but also weeding out a lot of fairly obvious bugs, unsafe practices such as trying to work around the mythical slow malloc, feeding your private key to the randomness engine, use after free, and so on.
It would look like it's been a while since anybody did much of anything besides half hearted scratching in very limited parts of the code. This is a very much needed effort which is likely to end up much like OpenSSH, maintained mainly as part of OpenBSD, but available to any takers. We should expect to see a lot more activity before the code base is declared stable, but by now it's clear that the burden of main source maintainership moved to a more responsive and responsible team.
Apple's Spotty Record of Giving Back To the Tech Industry
Apple's main interface to the opensource world is through the FreeBSD project, which is how they also drew in PF, the OpenBSD packet filter and most likely shipped more copies of that code than any other consumer. However, they made some changes that they contributed back to the world #ifdef'ed with their own incompatible license. I wrote about that a couple of years back for Call for Testing magazine, see http://callfortesting.org/macp...
Theo De Raadt's Small Rant On OpenSSL
OpenBSD developer Ted Unangst (mentioned in the article) has gone into the code a bit more in two articles, both very well worth reading:
heartbleed vs malloc.conf
analysis of openssl freelist reuse. Short articles with a lot of good information.
New Fujitsu Laptop Reads Your Palm, For Security
I completely fail to see why this is supposed to be a good idea.
Whether it's port knocking, fingerprint reading or palm reading as in this case, can anybody point out why this is a more 'secure' authentication method than anything else?
I tend to think that a fingerprint or similar may possibly serve as a substitute for a user name, but would you want to let people sign in using usernames only, no password, ssh key or a generated one time pad? Other than that it was probably fun to make, I don't see any advantage at all to using a known constant as a substitute for the familiar user name plus password and/or other changeable secret.
Ask Slashdot: Best Open Source Project For a Router/Wi-Fi Access Point?
My money is on OpenBSD for projects like this. You get very compact base system that still has all the stuff you need in there for a project like this. And even my old PF tutorial has enough info to get you up and running.
But with the man pages and the OpenBSD FAQ you really have all the information you need at your fingertips.
Amazon: Authors Can't Review Books
There's a slight hope that they either did not include tech authors in the ban or just didn't get around to us techies just yet. When I checked just now my review of Michael W. Lucas' SSH Mastery was still available.
Huawei Offers 'Complete and Unrestricted' Source Code Access
Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed.
So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.
Ask Slashdot: Best Way To Monitor Traffic?
If you can set up your gateway to export Netflow data, you get excellent data for tracking your traffic (connection metadata) without all the bulk of keeping a full copy of the traffic.
There's a large number of tools available for collecting, analyzing and otherwise dissecting collected Netflow data, with a good number most likely available via your favorite free Unix-like operating system's packages collection. My favorite combo is to set up an OpenBSD box as the gateway, have it export traffic data via the pflow(4) facility and do the collection and analysis bits somewhere via nfdump/nfsen (see eg nfsen.sourceforge.net for info).
There are various resources available within direct reach of web search, but I would also recommend taking a look at Michael W. Lucas' book Network Flow Analysis for a nice treatment of Netflow in general (it uses flow-tools, but most of what he writes will be useful in the context of other tools too).
Getting the Most Out of SSH
I think it's worth mentioning to anybody who enjoyed this article that Michael W. Lucas has a fresh SSH book out called 'SSH Mastery'. Initially an ebook, but becoming available right about now in a paper version too.
Amazon will have it, or if you're shopping for OpenBSD stuff anyway (as you should, OpenSSH which is almost certainly the ssh and sshd on your system, is essentially an in-tree development at OpenBSD), www.openbsd.org/books.html and tentacles of the ordering system will show you where to get it.
Europe's Largest IT Company To Ban Internal Email
I think the main problem here is that at least a s significant subset of the suits (and probably other non-techies) tend to think of Microsoft Exchange and its obnoxious client as the only way to handle email. Keep in mind that the main design smells appointment book not messaging. My longish rant on the topic can be found at http://bsdly.blogspot.com/2011/02/problem-isnt-email-its-microsoft.html , enjoy!
PETA To Launch Pornography Website
I'm pretty sure that embracing the root zone poisoning .xxx domain wankers is not ever going to earn them enough cash to help a single animal in need. This is a total waste of time and money IMNSHO.
The kind of story you'd expect to see in very-late March or very-early April, but that doesn't fit the calendar in that particular universe I inhabit.
Mozilla MemShrink Set To Fix Firefox Memory
firefox developers could do a lot worse than reading the openbsd-misc thread that starts with http://marc.info/?l=openbsd-misc&m=130683944229077&w=2 and take some of it to heart.
In the meantime I'd love any pointers at all to where you can buy the systems they used for development and testing - apparently you can actually buy systems with infinite memory so you can do extensive testing and never notice firefox has a memory management problem.
Number of firefox crashes while typing this comment: four.
Ask Slashdot: What To Do With Other People's Email?
I think you're touching on a very large part of the problem when you write
> The big problem I am having is with companies and websites. These emails are often no-reply, which means I can't send back a quick note.
I've always thought that sending messages with invalid return addresses or with a return address that's routed to the functional equivalent of /dev/null is intolerably rude. In fact, I think sending a message with the intention of discarding any reply is pretty close to the maxiumum amount of disrespect you can show your message's recipient.
I have one message to the executives of companies that send email with 'no-reply' return addresses deserve to be faced with a boycott: If you're not interested in reading our replies, we're not interested in sending you any money either.
I don't think Microsoft Exchange addiction (as I've blogged on in the past, see my .signature) should count as an excuse either. Sending mail with a deliverable return address is a matter of a minimum of common courtesy and civilty.
Linux Gets Dynamic Firewalls In Fedora 15
The concept isn't very new or radical, but it will be interesting to see how their implementation behaves in real life.
Over in OpenBSD land, PF has supported tables of IP addresses that can be manipulated on the fly for years (see eg these table samples. One common use is (courtesy of another useful adaptive feature called state tracking options) to detect and block bruteforcers (see eg this set of tutorial examples). In addition, the OpenBSD versions of dhcpd and bgpd as well as other applications are routinely set up to interact with your filtering config via tables.
Another adaptive or dynamic feature is anchors, named sub-rulesets where applications such as a proxy (ftp-proxy for example) or relayd (the load balancer) can insert and delete rules as needed. You can manipulate rules inside anchors from the command line too, of course.
My BSDCan slides has more material, as of course does The Book of PF, and never forget The PF docs as the authoritative source.
France Outlaws Hashed Passwords
The right-hand column on the BBC site has a link to a story called "Europe is 'losing' superbugs battle". The current story is a case in point: Europe is losing big time against the sinister "Stupidity" superbug.
FBI Alleged To Have Backdoored OpenBSD's IPSEC Stack
I'd be more than a little surprised if any part of the US government would in fact agree to let non-disclosure agreements expire automatically. That alone makes me suspicious that the truth content of these allegations is a little thin.
For those of you who are interested in finding out the facts, start by reading the whole thread on openbsd-tech (eg http://marc.info/?t=129236639300001&r=1&w=2 ), it's only a handful of messages so far and I find Damien Miller's response at http://marc.info/?l=openbsd-tech&m=129237675106730&w=2 particularly enlightening. (You're using Damien's code right now, in some other window -- he's been a major OpenSSH developer for quite a while).
Then again, I have to agree with Bob Beck (see http://marc.info/?l=openbsd-tech&m=129236730027908&w=2 ) that this is fairly likely to part of a personal vendetta of some sort, possibly against either the OpenBSD project or even something totally unrelated, using the OpenBSD project only as the attention-grabber in contexts such as /.
At this point we have only allegations with some finger pointing, I for one look forward to any real information to surface. The best way to draw out the real information behind this is to do what Theo did - publish the allegations and let the involved parties explain themselves in public.
Google eBookstore Launched
- such as No Starch press (http://nostarch.com), and quite possibly others.
I find it's always worth mentioning that there are publishers out there who respect their customers enough to not do the DRM dance, and from the author's view (yes, I am one) the danger of people not reading your stuff is more scary than the danger of not getting paid for every last copy.
Full disclosure: I have a book out on No Starch, The Book of PF, 2nd ed.
badger.foo has no journal entries.